---
title: "OpenSSL Heartbleed vulnerability"
shorturl: "heartbleed"
active: false
show_toc: true
banner: ""
date: 2014-04-11
---

<div class="post-content" markdown="1">

<h2 id="what-happened">What happened</h2>
 
<p>The version of OpenSSL used by Bitcoin Core software version 0.9.0 and earlier
contains a bug that can reveal memory to a remote attacker. See 
<a href="http://heartbleed.com/">http://heartbleed.com/</a>
for details.
</p>
</div>

<div class="toccontent-block boxexpand expanded" markdown="1">
<h2 id="what-you-should-do">What you should do</h2>
 
<p>Immediately upgrade to <a href="/en/download">Bitcoin Core version 0.9.1</a> which is linked against
OpenSSL version 1.0.1g. 
 
If you use the official binaries, you can verify the version of OpenSSL being
used from the Bitcoin Core GUI's Debug window (accessed from the Help menu).
If you compiled Bitcoin Core yourself or use the Ubuntu PPA, update your
system's OpenSSL.
 
Linux users should also upgrade their system's version of OpenSSL.
</p>

<h3 id="android">Android</h3>

<p>Android version 4.1.1 is vulnerable to Heartbleed. Try if you can upgrade to at
least Android 4.1.2. If you are using Bitcoin Wallet on an Android phone, you
should upgrade the app to at least version 3.45.</p>
</div>

<div class="toccontent-block boxexpand expanded" markdown="1">
<h2 id="how-serious-is-the-risk">How serious is the risk</h2>
 
<p>If you are using the Windows version of the Bitcoin Core GUI without a wallet
passphrase, it is possible that your wallet could be compromised by clicking
on a bitcoin: payment request link.
 
If you are using bitcoind (on Linux, OSX, or Windows),
have enabled the -rpcssl option, and allow RPC connections
from the Internet, an attacker from a whitelisted (-allowip) IP address can
very likely discover the rpcpassword and the last rpc request. It is possible
(but unlikely) private keys could be sent to the attacker.
</p>
 
 
<div style="text-align:right">
  <i>This notice last updated: Fri, 11 Apr 2014 12:19:23 -0400</i>
</div>
</div>